From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,b18f8df2fbc02f2c,start X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-08-09 19:42:22 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!news.tele.dk!news.tele.dk!small.news.tele.dk!newsgate.cistron.nl!transit.news.xs4all.nl!195.241.76.212.MISMATCH!/news!213.200.89.82.MISMATCH!tiscali!newsfeed1.ip.tiscali.net!proxad.net!usenet-fr.net!enst.fr!not-for-mail From: "Alexandre E. Kopilovitch" Newsgroups: comp.lang.ada Subject: Ariane5 FAQ, Observer's version, 7th draft (hopefully final) Date: Sun, 10 Aug 2003 06:38:49 +0400 (MSD) Organization: h w c employees, b f Message-ID: NNTP-Posting-Host: marvin.enst.fr Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: avanie.enst.fr 1060483339 96656 137.194.161.2 (10 Aug 2003 02:42:18 GMT) X-Complaints-To: usenet@enst.fr NNTP-Posting-Date: Sun, 10 Aug 2003 02:42:18 +0000 (UTC) To: comp.lang.ada@ada.eu.org Return-Path: X-Mailer: Mail/@ [v2.44 MSDOS] X-BeenThere: comp.lang.ada@ada.eu.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: comp.lang.ada mail to news gateway List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Xref: archiver1.google.com comp.lang.ada:41292 Date: 2003-08-10T06:38:49+04:00 In this 7th draft of the Observer's version of the FAQ, 2 slight editorial changes (corrections for poor grammar) were made in one "A". No other changes were made relative to the previous (6th) draft. Once again, I think that this may be final draft of this Observer's version of the FAQ. If there will be no consistent objections, I'll consider this Observer's version of the FAQ as completed. (The Professional version of the FAQ still may evolve -- independently of the Observer's version.) Now about placing this FAQ on WWW. If there will be suggestions from owners of WWW sites for that then I'm ready to do appropriate HTML formatting for the FAQ. ----------------------------------------------------------------------------- Q. Was Ada language somehow related to Ariane 5 crash in 1996? A. Yes, at least some components of the Ariane 5 software was written in Ada language. Q. Did that software cause the crash? A. Yes and No. They simply put the software written for previous model -- Ariane 4 (where it worked well) -- to new Ariane 5, and did not bother themselves with testing it on the new rocket before the launch. So, when the Ariane 4 software appeared (in the flight) incompatible with new Ariane 5 they became very surprised -- and blamed the software. Q. But media told us that there was an error in the software that caused that crash. Is it right? A. No, it is wrong. There was no such an error in the software. The software worked perfectly for the purpose, for which it was created, that is, for Ariane 4. The software was not created for Ariane 5, and there were no reasons to expect that it should work for this new rocket. So, the error, which caused the crash was blinded use of a software created for another job. And this error was severely aggravated by subsequent error -- skipping mandatory test procedure before the first flight. Q. But why on earth they expected that it should work if they have no reasons for it? Are you implying that they were idiots? (No conspiracy theories please.) A. No. There was an unfortunate collision of popular expectations about modern high-tech devices with real difficult issues of international collaboration in sensitive technologies. Ariane 5 was an international project (within ESA = European Space Agency), and at the same time it naturally belonged to an area of high secrecy (which is, as you probably know, traditionally maintained within strictly national frame). This created a difficult issue and caused uncommonly massive involvement of persons with political, diplomatic, economical etc. rather than technical background and/or experience into the high management of the project. Those persons naturally have mostly consumer-like expectations about modern high-tech devices. This means that while they may be generally smart and able to occupy some position within large technical project, nevertheless they have different (from an engineer) default assumptions for many technical issues. So they dealt with one critical part of the equipment as if it was some regular consumer market product from a reliable vendor: they assumed that they may use the device in all circumstances that aren't explicitly and clearly prohibited in its documentation. Because of their insufficient engineering background and/or experience they weren't aware of the difference in this respect between a complete product and its component part -- they did not know well enough that for the latter the defaults are opposite, that is, you should not use the component device in any circumstances that aren't explicitly and clearly allowed. Q. But certainly there were engineers also, who can see possible consequences of that approach. So why they weren't alarmed enough? A. This is difficult question indeed. An explanation exists, which tells that the informational paths within the project were interspersed with those managers of non-engineering kind, and because of that no one of the engineers can obtain enough information for recognition of the danger. A contributing factor was the specifics of communications and crossings of responsibilities, which often manifests itself within international projects. Here is an insider's view on that specifics: "As with many international projects, some of the information is eyes only. This is sometimes a burden for engineers that write the software, since they have to rely on good will and reliable deliveries of sub-components. As you can imagine, Ariane is a fairly complex system which relies on many "sub-systems"; now imagine that all those subsystems come from a different supplier. The integration of all of them is a very large and complex project on is own." Q. Still don't understand how they managed to avoid testing? A. They did not entirely avoid testing. Actually they tested most of the rocket equipment, except of the Inertial Reference System (which then caused the crash). This device was excluded from the test procedure and replaced by its simulator (for financial and perhaps schedule reasons). The simulator was written within Ariane 5 project. The crucial thing was that the developers were not given the documentation for the software, but source code only. By that administrative restriction some limitations of the software (which were clearly stated in the documentation) were obscured from the developers of the simulator. As a result, the simulator worked differently from the real device. (It helped to test other equipment, but no more -- the real device remained untested for the new rocket.) Subsequently, after the crash, the original programmers of the Ariane 4 device were blamed for not stating the limitations by comments within the source code (additionally to the documentation). Q. So, if the limitations were clearly reflected in comments within the source code then most probably they would be seen by the simulator's developers and the disaster would be averted? A. Probably No. Because simulation of the alignment function of real device was excluded from the contract for the simulator development. Consequently, the simulator's developers have no stimulus (without the documentation, which was not given to them) to look into the part of the source code where the limitations were violated in the flight. (They might have looked there out of curiosity, but time pressure and general stress surrounding the project left too little room for curiosity.) The reason for omission of the alignment function from the simulator was that for Ariane 5 that function is not needed after takeoff, and that before takeoff that function was really identical for the Ariane 4 and Ariane 5. What was overlooked is that for the Ariane 4 that function WAS executed after takeoff (about 40 seconds), so the unchanged real device would execute that function for the Ariane 5 despite the absence of any need for it there. Q. Can you explain in several words what was the actual cause of the launch failure, technically? A. There are several points which are different for Ariane 5 vs. Ariane 4, one of which was instrumental to the events: Ariane 4 is a vertical launch vehicle where as Ariane 5 is slightly tilted. Ariane 4 software was developed to tolerate certain amount of inclination but not as much as required by Ariane 5. The chain of events were as follows: - The on-board software detects that one of the accelerometers is out of range, this was interpreted as hardware error and caused the backup processor to take over; - The backup processor also detects that one of the accelerometers is out of range, which caused the system to advice an auto destruction. Q. Where can I find official report for the investigation of the Ariane 5 crash? A. At the moment of writing this FAQ this report was, for example. at: http://www.dcs.ed.ac.uk/home/pxs/Book/ariane5rep.html But read it to the end, because your overall impression will probably be different (and wrong) if you stop in the middle of it, deciding that you got it all clear enough. Q. Where this topic was discussed in depth? A. For example, in comp.lang.ada newsgroup (several times). Search that newsgroup for "Ariane 5", and you'll find several threads discussing this topic (most recent at the moment of starting this FAQ was quite long thread with subject line "Boeing and Dreamliner"; during the development of this FAQ another long thread with the subject line "Ariane5 FAQ" was running). -----------------------------------------------------------------------------